Add chapter security
This commit is contained in:
Sandro Keil
@@ -50,7 +50,7 @@ The complete file should look something like this.
|
||||
#%PAM-1.0
|
||||
|
||||
auth required pam_unix.so try_first_pass nullok
|
||||
auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
|
||||
auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
|
||||
auth optional pam_permit.so
|
||||
auth required pam_env.so
|
||||
|
||||
@@ -67,11 +67,11 @@ session optional pam_permit.so
|
||||
```
|
||||
|
||||
## Test it
|
||||
Arch Linux loads the [PAM](https://wiki.archlinux.org/index.php/PAM "Linux Pluggable Authentication Modules (PAM) ") config files on every login. So simply switch to
|
||||
Arch Linux loads the [PAM](https://wiki.archlinux.org/index.php/PAM "Linux Pluggable Authentication Modules (PAM) ") config files on every login. So simply switch to
|
||||
another tty and try to login. After you have entered your password, the YubiKey should flash and you have to touch the
|
||||
YubiKey button. Good luck!
|
||||
|
||||
**Congratulations**! You have hopefully successful finished the YubiKey Full Disk Encryption Guide. You have reached the
|
||||
**Congratulations**! You have hopefully successful finished the YubiKey Full Disk Encryption Guide. You have reached the
|
||||
following goals which is really awesome!
|
||||
|
||||
- YubiKey encrypted `root (/)` and `home (/home)` folder on separated partitions
|
||||
@@ -80,4 +80,6 @@ following goals which is really awesome!
|
||||
- YubiKey authentication for user login
|
||||
|
||||
If you have any suggestions don't hesitate to [create an issue](https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi/issues "Create a new issue") to improve this guide.
|
||||
Also spread the word about this guide so more people can secure their system.
|
||||
Also spread the word about this guide so more people can secure their system.
|
||||
|
||||
You should now check the *security* chapter to improve security further.
|
||||
22
book/security/bookdown.json
Normal file
22
book/security/bookdown.json
Normal file
@@ -0,0 +1,22 @@
|
||||
{
|
||||
"title": "Security",
|
||||
"content": [
|
||||
{"disable-intel-amt": "disable-intel-amt.md"},
|
||||
{"disable-amd-psp": "disable-amd-psp.md"}
|
||||
],
|
||||
"theme": {
|
||||
"toc": {
|
||||
"collapsibleFromLevel": 1
|
||||
}
|
||||
},
|
||||
"template": "bookdown/themes",
|
||||
"tocDepth": 2,
|
||||
"target": "../html",
|
||||
"numbering": false,
|
||||
"extensions": {
|
||||
"commonmark": [
|
||||
"Webuni\\CommonMark\\TableExtension\\TableExtension",
|
||||
"Webuni\\CommonMark\\AttributesExtension\\AttributesExtension"
|
||||
]
|
||||
}
|
||||
}
|
||||
13
book/security/disable-amd-psp.md
Normal file
13
book/security/disable-amd-psp.md
Normal file
@@ -0,0 +1,13 @@
|
||||
# Disable AMD PSP
|
||||
This page describes how to disable AMD Secure Processor aka AMD Secure Technology.
|
||||
Please read the whole page before you begin. The AMD PSP is a
|
||||
[security risk](https://www.scmagazineuk.com/security-issue-found-amds-platform-security-processor/article/1473518 "Security issue found in AMD's Platform Security Processor").
|
||||
|
||||
> Don't forget to set a secure BIOS supervisor password!
|
||||
|
||||
## Disable AMD PSP in BIOS
|
||||
> **Attention:** If you don't see any option to disable AMD PSP, check
|
||||
if you have installed the latest BIOS version.
|
||||
|
||||
Boot into BIOS and search for an entry *BIOS PSP Support* and disable it.
|
||||
It should be in menu *Advanced*.
|
||||
35
book/security/disable-intel-amt.md
Normal file
35
book/security/disable-intel-amt.md
Normal file
@@ -0,0 +1,35 @@
|
||||
# Disable INTEL AMT
|
||||
This page describes how to disable INTEL Active Management Technology. Please read the whole page before you begin.
|
||||
The INTEL AMT is a [security risk](https://thehackernews.com/2018/01/intel-amt-vulnerability.html "INTEL AMT vulnerabilities").
|
||||
|
||||
> Don't forget to set a secure BIOS supervisor password!
|
||||
|
||||
## Open INTEL AMT
|
||||
To open INTEL AMT press *CTRL + P* on boot. The default password is *admin* and
|
||||
you should change it to a secure one. You will be ask to change the password
|
||||
on the first login.
|
||||
|
||||
## Disable Intel Management Engine State Control
|
||||
Next step is to [Disable Intel Management Engine State Control](https://www.dell.com/support/article/de/de/debsdt1/sln295179/disable-intel-amt-intel-management-engine-state-control?lang=en).
|
||||
|
||||
1. Choose *Intel ME General Settings* from menu
|
||||
1. Choose *Intel ME State Control* from menu
|
||||
1. Choose *Disable*
|
||||
1. Choose *Previous* from menu
|
||||
|
||||
The machine will reboot now. You can still access INTEL AMT but if you
|
||||
enable it again it should use your password and not the default one.
|
||||
|
||||
## Disable INTEL AMT in BIOS
|
||||
> **Attention:** Depending on the used INTEL AMT version you **can not**
|
||||
disable the Intel Management Engine State Control because then the password will be reset. If you don't
|
||||
see any entry to disable INTEL AMT, check if you have installed the latest BIOS version.
|
||||
|
||||
Boot into BIOS and search for the *Intel AMT* entry and enter it.
|
||||
For Lenovo notebooks it's under the menu *Config*. Choose *Disable* and save BIOS settings.
|
||||
|
||||
## Validate password protection
|
||||
Now it's time to check, if the password is reset if you enable it again. Go into BIOS and enable
|
||||
INTEL AMT, save changes and open INTEL AMT with *CTRL + P*. Enable it again, the machine will reboot.
|
||||
Go into INTEL AMT with *CTRL + P* and now you should not be able to login with password *admin*.
|
||||
Now start from scratch and disable it again.
|
||||
Reference in New Issue
Block a user